STATETECH: What is the most pressing worry or priority for you when it comes to election security?
THRELKEL: That’s the area where we want to make sure that we’ve got our backups. Those are done on a frequent basis. Because, when it comes to ransomware, what we see is that it’s the human element. That is, a lot of times, where your exposure is.
It’s pretty easy for somebody to click on a link in an email, and all of a sudden you’ve got malware spreading across a network. And if that gets into an election system, that would be especially troublesome.
One of the things that we’ve been working on is that we’ve been partnering this year with the CISA at [the Department of] Homeland Security and the Elections Infrastructure Information Sharing and Analysis Center. We’re in the process of deploying Albert sensors at each of the 36 counties. We have that at the state level and have for a couple of years. And, hopefully, here in the next few weeks, we’ll have that deployed out to all 36 counties. We’re also participating in a pilot program for endpoint detection and response. We have that installed at the secretary of state in all of our election infrastructure, and across our whole network. But we’re also looking to get that deployed out to the counties as well. Another thing is that the EI-ISAC has just come out with a malicious domain blocking and reporting system. We want to get signed up for that as well. With multifactor authentication, that just truly adds additional layers of security, on top of all the things that we do as a matter of course.
STATETECH: The endpoint protection system that you mentioned, is that something that is provided by EI-ISAC or is that something else?
THRELKEL: It was a grant from Homeland Security through the Center for Internet Security in partnership with the ISAC. They’re making it available to all 50 states that want to have it rolled out by the end of the summer. We signed on as an early adopter, because we saw the value in having that type of a system in place. We wanted to be one of the first out of the gate, and so far we are pretty pleased with it.
STATETECH: How do you prioritize election security threats?
THRELKEL: I don’t know that you can really just pick one area and focus on that. I think you have to have a very broad-based approach, and security’s about being hypervigilant. It’s just this continuing evolution: How do we continue to get better every day and make sure that our patches and our systems are up to date, that we’re monitoring the systems, that we have incident management tools in place and also training for staff.
We’re doing our annual training of the agency right now. We’ve done phishing campaigns with agency staff as well as county election staff in this past year. And we’ll continue to do that just to make sure that people are on their toes and watching for any type of vulnerability or risk that’s out there.
STATETECH: How would you compare the level of coordination between the states and federal officials on election security with where it was four years ago?
THRELKEL: Well, I wasn’t in this role four years ago. I was with the secretary of state’s office, but I was running the corporate division at that time. Just in the past year, I’ve switched over to the technology side of the house. I’ve become a little bit more familiar with what’s going on with the election security side of things. But definitely, based on everything that I’ve heard and what I’ve seen, there’s much more of a focus around collaboration and partnerships between the states and the feds, and a lot of it really is driven by those experiences in 2016. We’re participating in monthly briefings with the EI-ISAC. We also have partnered with DHS, the FBI and the Department of Justice. Last year, we did a tabletop exercise that the feds had developed, and we did that with county election staff on cybersecurity. Earlier this year, we held a joint elections security symposium with DHS, the FBI and county officials to address election security issues. A lot of that was really about having these strong partnerships in place to where we’re communicating all the time and sharing information and also looking out for each other so that we’re not caught off guard or unaware.
STATETECH: As more states that don’t have Oregon’s history with voting by mail start ramping up the infrastructure to make that possible for November, what do you think they should keep in mind when it comes to security?
THRELKEL: I think it’s along the same lines of what you would do in general: trying to secure your systems and your networks and your applications. It’s that common-sense approach, making sure that systems are updated and patched and that you don’t leave vulnerabilities out there. That’s hard to do if you’ve got multiple priorities and reduced staff — especially now, where a lot of states are looking at having budget reductions — and you’re still trying to maintain and keep everything. But I would say, when it really comes down to voting by mail, I think there’s an advantage to just really committing to that process and getting out of the in-person polling places, because it is a little bit more difficult. It’s harder to secure and maintain both systems effectively. So, if you can really just kind of narrow it down — like Oregon has done, like the state of Washington has done, Colorado — so that you just have the one process that you’re supporting and maintaining, it cuts a lot of those exposure points down. Every polling place with voting machines, those add additional risks. You can really focus your delivery system if you’re doing 100 percent of voting by mail.
STATETECH: Is there anything that keeps you up at night when it comes to election security?
THRELKEL: Misinformation is one of the things that we’ve really seen as one of the biggest concerns that came out of 2016, as well as right now. It’s pretty easy for someone to create misinformation and then spread it on social media. We are starting to see the more responsible social media companies taking proactive steps, and I think that continues to evolve. There’s just so much more of a role for how people interact online with each other and on those social media platforms that maybe didn’t exist to a great extent 10 or 20 years ago.
That’s more how things are now, but that area has to evolve. And I think that it’s difficult for a campaign or a state to really be highly effective at combating a lot of misinformation. So that’s really where I think the impetus goes back on those social media companies to really step up and recognize how their systems and tools are being used and misused, especially when it comes to elections and election security and misinformation around that.
The other thing that I find challenging is just the rapid and increasing pace of technology, and the speed at which technology becomes obsolete. What we’re finding is that the replacement cycles and the upgrade cycles are just getting shorter and shorter. We’re just in this constant learning mode for our staff with new technology, how we operate, how we secure our systems.